Create account



CodeIgniter.com Twitter      


Thread Modes
XSS Global clean

El Forum
Guest
 
#1
06-17-2009, 10:01 AM
[eluser]Mat-Moo[/eluser]
I have this enabled as a matter of security (But still do some checking as well), but I have a new special controller I am writing that picks up an rss feed as a post which I need NOT to be sanitised. From what I've read on here I have to disable global CSS then add it to all my inputs (grrr) - or is there another way? [even print_r($_POST) is sanitised].

Any other input on this is welcome !

El Forum
Guest
 
#2
06-17-2009, 10:15 AM
[eluser]Dam1an[/eluser]
you could extend the input class, and override the sanitize globals function, so that it doesnn't include the $_POST array (line 141)
Assuming you use
Code:
$this->input->post('item');
instead of
$_POST['item'];
In the rest of the application, you should be fine

If you find yourself needint to sanitize the POST array, you could call the _clean_input_data function (which should really be private, but PHP4 lets you Wink)

El Forum
Guest
 
#3
06-17-2009, 02:20 PM
[eluser]Mat-Moo[/eluser]
Hmm, not convinced by that. Could I use a hook to disable the global xss when it's this one controller? Never really looked at hooks before.

El Forum
Guest
 
#4
06-17-2009, 02:30 PM
[eluser]Dam1an[/eluser]
If you did do it in a hook, you would have to use a pre_system hook, as thats your only chnce before the input class gets initialised
The problem is the router class has not yet been loaded at this point, so you'll have to load it yourself in the hook using
Code:
$RTR =& load_class('Router'); // Taken from CodeIgniter.php
if($RTR->class == 'the_controller') {
  ... do something
}

Although I'm not sure what 'do something' would be, as I'm not sure if it's a good idea to change config values on the fly like that (anyone?)

El Forum
Guest
 
#5
06-17-2009, 02:40 PM
[eluser]Dregond Rahl[/eluser]
could do one other thing, disable Global XSS Filter, and just modify (or even extend) the input library to have the default to $xss_clean = TRUE, then you can set specifically the inputs in that controller to be FALSE.

Code:
function post($index = '', $xss_clean = FALSE)
    {
        return $this->_fetch_from_array($_POST, $index, $xss_clean);
    }

El Forum
Guest
 
#6
06-17-2009, 04:33 PM
[eluser]xwero[/eluser]
A crude way would be to add a url check in the config.php file
Code:
$config['global_xss'] = ( ! in_array($_SERVER['REQUEST_URI'], array('/controller/method')) ? true : false;


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2021 MyBB Group.